[00:07.010 --> 00:14.060]  Hi everyone, we are AboDefense and we will make a presentation about Mexico's cybersecurity status.
[00:14.180 --> 00:19.360]  In this presentation we will talk around industrial cybersecurity footprint, key data,
[00:19.360 --> 00:25.300]  perspective, smart production, and sensor security experience, honeypot, lesson learns,
[00:25.300 --> 00:32.100]  and opportunities. Thank you ICI Village DEF CON 28 and the cyber colleagues on this opportunity
[00:32.100 --> 00:36.180]  to make a presentation about Mexico's industrial cybersecurity.
[00:37.800 --> 00:45.080]  Talking about Mexico facts and figures, we have facts and figures in terms of the economy.
[00:45.080 --> 00:51.320]  Mexico is ranking under position 12 around the world. Manufacturing services, transportation,
[00:51.320 --> 00:55.690]  utilities, and spending are the main economical activities in Mexico.
[00:56.140 --> 01:02.220]  In concern of the industrial sector, the manufacturing has an activity of 175 billion
[01:02.220 --> 01:08.860]  U.S. dollars. Key subject focus on IC industrial security for this presentation.
[01:09.680 --> 01:16.780]  The top industrial sectors are in Mexico the automotive industry. It's the top five world
[01:16.780 --> 01:23.420]  with OEMs and their supply chain change. Medical is the second position in Latin America
[01:24.380 --> 01:29.180]  behind Brazil. Aeronautics 60 percent, more competitive, and electronics the
[01:29.180 --> 01:36.160]  largest economical region worldwide. Also Mexico have other industries like oil, electricity,
[01:36.480 --> 01:45.320]  food, textiles, agriculture, chemical services, consumers, and furniture, I mean other sectors.
[01:45.540 --> 01:53.080]  On the industrial sectors, more are important that the main manufacturing companies use 55 percent
[01:53.080 --> 02:01.920]  of insulated PLCs inside the IC area. Most are insulated and most not connected to any network.
[02:01.920 --> 02:08.480]  Three percent of use industrial service at the shop floor and connected to the network.
[02:08.800 --> 02:12.920]  Most of these industrial services are set by the automotive international companies
[02:12.920 --> 02:19.820]  like from Germany or Japan, among other ones. Most of the industrial companies are located
[02:19.820 --> 02:23.720]  from center to the north of Mexico. As an example, the automotive industry is located
[02:24.590 --> 02:30.840]  from the center and the north of Mexico. In the case of aerospace and medical industries are
[02:30.840 --> 02:37.420]  situated on the northwest of Mexico. On the network subjects, we will see that the strongest future
[02:37.420 --> 02:45.130]  is based more in the north of Mexico. Southern Mexico is more agriculture and other topics.
[02:46.170 --> 02:56.330]  Mexico has around 50.3 million IP addresses, an average of 7.5 megabits and the cyber attacks
[02:56.330 --> 03:04.550]  around 28 from 195 countries. So basically, the most important in the case of the cyber attacks
[03:04.550 --> 03:14.930]  is mainly attacks to the government offices and other departments like, you know, banks and services.
[03:16.790 --> 03:23.110]  In terms of the SWAT, the IC security, the strengths is that Mexico is growing in the industry
[03:23.110 --> 03:28.490]  from point zero. It's focused to the smart production, smart logistics, smart enterprises,
[03:28.490 --> 03:33.510]  among other ones, which require in a short period of time the implementation of the industrial
[03:33.510 --> 03:41.710]  cybersecurity practices. For the U.S.-Mexico-Canada trade, which was released the 1st of July 2020,
[03:41.710 --> 03:47.790]  covered the topic on digital and cyber security rules and process between the countries.
[03:48.110 --> 03:55.670]  It's a major important thing, because, especially for Mexico, because Mexico needs to follow up
[03:55.670 --> 04:00.650]  and implement the good practices and lessons necessary to accomplish the digital security
[04:00.650 --> 04:07.770]  and internet policies from this trade. In terms of the weakness, Mexico has no deep
[04:07.770 --> 04:13.110]  knowledge on ICS security topics. Also, the companies and the owners have no idea, even
[04:13.110 --> 04:19.090]  awareness, about industrial cybersecurity. For those insecure systems, there is insufficient
[04:19.090 --> 04:24.990]  information. There are opportunities as well. The U.S.-Mexico-Canada trade is focused to increase
[04:24.990 --> 04:31.250]  commercial competitiveness region against other markets, Asian markets or European markets.
[04:31.250 --> 04:36.610]  These trades include specific actions to meet cybersecurity terms, as the first one.
[04:37.610 --> 04:43.990]  Trade, according to our experience, the most attack to industrial is related to ransomware,
[04:43.990 --> 04:49.610]  especially on the R&P systems, as well as on all the internal attacks,
[04:49.610 --> 04:56.390]  is not recorded at this time. Based on the automotive industrial sector,
[04:57.850 --> 05:03.530]  Mexico is located... Mexico are located American companies, as well as European and Japanese
[05:03.530 --> 05:12.150]  companies, which are located on the supplier chain. The European most use the industrial
[05:12.150 --> 05:21.430]  cybersecurity architecture, according with the ISO and the improved and performance basis 4.0.
[05:22.050 --> 05:26.510]  The merits of the concept are the data in real-time and non-real-time, the integration
[05:26.510 --> 05:32.250]  and sharing data and connectivity. For the American enterprises, they follow the American
[05:34.630 --> 05:43.370]  industry internal reference architecture, call it IIRA. They use it as a key merit,
[05:43.370 --> 05:47.470]  real-time, non-real-time integration, shared data and connectivity, but as well,
[05:47.470 --> 05:52.150]  they use the protocols, those protocols like a profit boost, mod boost, scan internet,
[05:52.150 --> 05:58.250]  profit net, and the programs like a ladder and other devices with different kind of protocols,
[05:58.250 --> 06:03.410]  which is one of the important things to use for industrial architecture cybersecurity.
[06:04.410 --> 06:10.610]  According with our experience, during the last couple of years, we implemented for the industrial
[06:10.610 --> 06:16.570]  sector and the architecture different kind of layers. One of the layers is the sensor integrity
[06:16.570 --> 06:21.670]  that we will see in the next slides, the equipment, the boost data, and the network.
[06:25.020 --> 06:33.720]  The word industrial is in terms of the smart factory at this time, using industry 1.0 concept.
[06:34.130 --> 06:41.790]  They said the connectivity between machines and PLCs and other intelligent sensors, as well
[06:41.790 --> 06:47.330]  other equipment. So the smart factory has integrated all the elements in the shop floor,
[06:47.330 --> 06:54.930]  integrated in one unit. To accomplish and fulfill this strategy, we said that a smart
[06:54.930 --> 07:01.830]  production concept. This smart production concept is accomplished to fulfill the strategy
[07:01.830 --> 07:08.690]  that we set for the smart production. The smart production is set in individual modules, which
[07:08.690 --> 07:13.930]  are interconnected to the smart factory. This architecture integrates components from machines,
[07:13.930 --> 07:19.950]  sensors, PLC, network, servers, database, machine learning, machine-to-machine analytics,
[07:19.950 --> 07:25.290]  visualization, and artificial intelligence, among other technology and innovations.
[07:25.670 --> 07:30.490]  For a clean implementation, it was a set additional smart sensors to boost the power
[07:30.490 --> 07:36.710]  and the brains at the shop floor to implement the full smart production. That is the new trend.
[07:37.170 --> 07:42.470]  On the next slide, we will talk about the smart sensor cybersecurity. One important note on this
[07:42.470 --> 07:47.570]  activity that I want to share with you as experience is the synchronization and speed
[07:47.570 --> 07:54.350]  process key factor for industrial cybersecurity. It means low timing on industrial process is not
[07:54.510 --> 08:01.310]  a problem as we can use and save the cybersecurity procedures. High speed industrial process, which
[08:01.310 --> 08:08.930]  required up and down information to act, for example, above or open a sector or review
[08:09.430 --> 08:15.450]  a model, less than 500 milliseconds make a major complexity to implement the smart factory
[08:15.450 --> 08:22.270]  with industrial cybersecurity. Also, the lesser lens about the synchronization topic give it two
[08:22.270 --> 08:28.430]  strategies recommendation in according with our experience. One refers to set the PLC
[08:28.430 --> 08:34.830]  responsibility as it was designed at the long time means that the devices was to control dedicated
[08:34.830 --> 08:42.210]  process and machines, only that. We not recommended that the PLC is doing extended activities. That
[08:42.210 --> 08:48.810]  means doing everything. So everybody can say that a PLC and share and tell you that a PLC make
[08:48.810 --> 08:55.230]  everything. This is not true. This is a dangerous equation. The second one is to reduce or eliminate
[08:55.230 --> 09:03.510]  PLC connectivity into industrial pools network. That means that the PLC has to do his own job.
[09:04.230 --> 09:09.650]  One is concerned, of course, if we put it the PLC on the network is to reduce the potential
[09:09.650 --> 09:15.050]  vulnerability. And the second one is to reduce the issue on the synchronization on the process
[09:15.050 --> 09:21.190]  and the boost network. One of the topics to confirm that we have experienced that is difficult to set
[09:21.670 --> 09:30.130]  a service security, industrial service security. For the smart sensors and service security
[09:30.130 --> 09:38.050]  strategy that we set as six, which means the S is a sensor, the I is integrity, the C is for
[09:38.050 --> 09:45.070]  connectivity and the S for security. This concept that we are implemented, we use it, we divide it
[09:45.070 --> 09:50.750]  in three blocks. One is related to the sensor integrity, the sensor connectivity and the sensor
[09:50.750 --> 09:57.330]  cybersecurity as mentioned. The sensor integrity includes physical and functionality layers.
[09:57.330 --> 10:03.110]  The physical take the sense of damage, which is common sometimes that people can damage during
[10:03.110 --> 10:09.890]  the process at the shop floor or could be not intentional to damage the sensor. So the
[10:09.890 --> 10:15.470]  cybersecurity protection tell us that the damage is made on the sensor and then we have to be
[10:15.470 --> 10:22.070]  replaced or make an action immediately. So the cycle life of the sensor is important because
[10:22.070 --> 10:29.270]  the cycle of the sensor, when the sensor is used by a resistance to review and sense the
[10:29.270 --> 10:34.070]  level of the water, that can be changed immediately when we see that the response
[10:34.070 --> 10:40.250]  of the information is not quite right. So we're using this information and review as a status
[10:40.250 --> 10:46.750]  control loop to be that the cycle life of the center is okay. Actually as well, in terms of
[10:46.750 --> 10:52.150]  functionality, the views of the sensor as well, the software, the program, there are many key
[10:52.150 --> 10:58.270]  important things. The software and the program, they can be used or that it can be as well adopted
[10:58.270 --> 11:05.750]  in terms of the somebody can have and connect it with our C235 or another boost communication,
[11:05.750 --> 11:11.990]  they can make it and change the software in the program. We as well, we set on this strategy,
[11:11.990 --> 11:18.550]  you know, the actions and the roadblocks and the firewall that nobody can change the software
[11:18.550 --> 11:24.630]  and the program. In terms of the sensor connectivity, everybody knows. ProfiBoost,
[11:24.630 --> 11:31.470]  MotherBoost, so this topic I will not to be in detail. And the subject of sensor cybersecurity,
[11:31.470 --> 11:36.210]  the status control gives us the opportunity to review that the physical and functionality,
[11:36.210 --> 11:42.610]  the sensor is okay. I show self-detection and self-assessment is provide as well that the
[11:42.610 --> 11:48.310]  system as well the protocols of the software program and communication are okay. We put an
[11:48.310 --> 11:54.190]  outside on this process, the cartography code, because according with the mentioned in the last
[11:54.190 --> 12:01.070]  slides, the synchronization on the latency of the process in terms of the high performance processes
[12:01.600 --> 12:08.490]  is not quite okay. We set as well an additional alert console. That means that this process,
[12:08.490 --> 12:14.110]  the alert console process, we set a different boost communication. It's not in the same protocol
[12:14.110 --> 12:20.830]  that we send it as the information data send it to the system. We send it in another channel
[12:20.830 --> 12:27.850]  and as well another kind of information which tell us exactly if the sensor integrity,
[12:27.850 --> 12:38.650]  physical and functionality is adopted. In terms of the essential of the sensor cybersecurity,
[12:40.230 --> 12:47.250]  it show in really two blocks, one and three blocks. One is outside of the system,
[12:47.250 --> 12:52.810]  which is a data interface. The other ones are connected. The detection search,
[12:52.810 --> 12:58.770]  which is called it on the left block now, we call it a dummy because this is essential,
[12:58.770 --> 13:05.110]  just one thermal part or just a resistance that they move according to the level of the water.
[13:05.110 --> 13:12.810]  We call it a dummy sensor. It is dummy sensor connected via an I2C protocol.
[13:12.810 --> 13:20.730]  This protocol has four modes. The standard mode is usually with a speed of 0.1 megabits per second.
[13:21.350 --> 13:27.010]  The information is digitalized and then used to perform on the program with a specific language.
[13:27.010 --> 13:31.510]  The program with this has an algorithm and make the action and perform the activities
[13:31.510 --> 13:37.530]  that which it was programming. One of them is to send the information via a standard protocol to
[13:37.530 --> 13:42.510]  outside of the world, which means that to send the information to the PLC or the motherboards
[13:42.510 --> 13:49.910]  or another kind of communication to the data interface, which is important because the
[13:49.910 --> 13:56.790]  different kind of net protocols, it was difficult to make a cybersecurity performance. That means
[13:56.790 --> 14:03.890]  experience that we have is that synchronization is a very key factor. One topic is in defense of
[14:03.890 --> 14:09.830]  the I2C protocol. Sensing information in some processes is a critical element, especially
[14:09.830 --> 14:15.810]  with a high performance process. Process with production and security information can be lost
[14:15.810 --> 14:21.990]  information only because the process of the boost communication synchronization is not aligned with
[14:21.990 --> 14:29.210]  the process synchronization. And the PLC, if it has a timer and a timing delay,
[14:29.210 --> 14:36.630]  if it's possible to miss key information of the process. That means on the case that latency
[14:36.630 --> 14:44.970]  less than 500 milliseconds and use an attractive code on this communication can be put in a
[14:44.970 --> 14:50.130]  dangerous situation the entire system. So we solve this issue using new security paths in
[14:50.130 --> 14:55.190]  the entire architecture. This is clear that integrated crypto code, as we know from the
[14:55.190 --> 14:59.950]  sensor to outside to the boost node, is not feasible, according to our experience today,
[14:59.950 --> 15:04.310]  based on the total boost and the process synchronization. Both things are important
[15:04.310 --> 15:09.670]  and important to do the cybersecurity, industrial cybersecurity activities.
[15:10.990 --> 15:16.610]  The opportunities that we have in I2C cybersecurity is in terms of the monitoring.
[15:16.610 --> 15:20.730]  Monitoring the sensor integrity as we saw, the equipment safely, and the boost security
[15:20.730 --> 15:27.190]  as main architectural visibility and center management. Defense detections in terms of the
[15:27.190 --> 15:32.110]  boost protocol and the peripheral devices evaluation, the threat detection as a sensor
[15:32.110 --> 15:37.910]  equipment, the malicious code as well, the prevention as the incident response and services,
[15:37.910 --> 15:43.150]  and as well the equipment risk assessment, which means to review the peripheral devices,
[15:43.150 --> 15:45.610]  the service equipment, and the network devices.
[15:46.910 --> 15:51.970]  During this process, in terms of the I2C industrial cybersecurity opportunities,
[15:51.970 --> 15:59.010]  we set a deception exercise. We set a honeypot, lesser lengths, and the training that my friend
[15:59.630 --> 16:07.110]  and colleague of this entire venture, with Alfonso as well, we will see in the next presentation from
[16:07.110 --> 16:14.550]  Victor. Well guys, thank you for your time. I'm glad to be here. And well, as you know,
[16:14.550 --> 16:19.570]  there are many experiments at previous publications about honeypots. We apply it for
[16:19.570 --> 16:25.710]  this work on two areas that could be joining it in a small footprint. I mean, a small footprint
[16:25.710 --> 16:35.830]  to detect internal events and incidents. Well, the first one is the training to learn core
[16:35.830 --> 16:40.930]  concepts from previous incidents and learn beyond buzzwords and clickbait cybersecurity
[16:41.610 --> 16:50.050]  because we think that this could be overwhelming for many of us. The second one is to be productive.
[16:50.050 --> 16:56.930]  I mean, to get productive data that allow us to have enough evidence to resolve an incident.
[16:58.610 --> 17:05.190]  To implement this, there are previous conditions, previous steps that are important to be known
[17:05.190 --> 17:12.210]  by the network owners, like a correct networking solution, a legal review,
[17:12.210 --> 17:20.140]  and patents to see results focused on ICS systems versus general malware.
[17:23.170 --> 17:31.650]  And the honeypots as idea and philosophy is very attractive because it's a good way to see
[17:32.290 --> 17:40.370]  an attack in real time. And well, you can learn from it and also helps to replicate previous
[17:40.370 --> 17:47.410]  attacks. In some moments, cybersecurity could be overwhelming for some people. There are too
[17:47.410 --> 17:54.850]  much to learn. But based on previous attacks that we saw, there are core concepts that could be
[17:54.850 --> 18:02.330]  studied. These concepts are covered by the major corporation matrices. And this gave us a
[18:02.330 --> 18:08.010]  structured way to do it. And the second one is, well, how to handle incidents. This could be
[18:08.010 --> 18:15.870]  learned too. And also the ICS architecture concepts are important to give a general fact.
[18:15.870 --> 18:23.130]  And finally, the idea of this experiment or honeypot is that could be installed by power
[18:23.130 --> 18:33.550]  users and not only by cybersecurity people. And learning through analyzing attacks, well,
[18:33.550 --> 18:39.390]  obviously, is the first option, but there is another game. A honeypot could give productive
[18:39.390 --> 18:46.890]  data in a traceable way. There are three main sources to start. The first one, the Windows host
[18:46.890 --> 18:53.930]  from the multiple layers of the ICS and enterprise network. The second one, the network
[18:53.930 --> 19:01.050]  in the different layers too. And finally, the emulation of the services. And well, all of this
[19:01.050 --> 19:09.950]  in the internal network. The first component in our architecture is the Windows host
[19:09.950 --> 19:16.690]  that are being used in different layers. We looked for simple components and tricks
[19:16.690 --> 19:24.930]  that could give us important data about malware. And well, with this setup, we got multiple samples.
[19:24.930 --> 19:33.690]  For example, with the file system trick, we got multiple samples. And also from the network
[19:33.690 --> 19:45.610]  traffic, we observed that the most popular wormhole ports are being used too. And now,
[19:45.610 --> 19:50.910]  regarding lateral movement and ransomware cases, we saw that the biggest and easiest
[19:51.610 --> 20:01.690]  exploits are being used as first option. And from the network side, another component in the
[20:01.690 --> 20:09.070]  architecture, our idea is to keep all the metadata possible as first priority. And the raw data
[20:10.140 --> 20:17.470]  from the multiple sites as second objective. This could be achieved using Seq and Moloch,
[20:17.470 --> 20:26.110]  these open source tools. But to implement these tools, the Malcom project helped us a lot to make
[20:26.390 --> 20:32.510]  a quick setup in a productive environment. With this setup, we were able to investigate
[20:33.150 --> 20:36.990]  multiple network movements from the multiple layers of the network,
[20:36.990 --> 20:55.090]  and also to detect dual home PCs. About the DMZ, as I mentioned in the first slides,
[20:55.090 --> 21:01.710]  our idea is to make an investigation in the internal network. However, as you know, the DMZ
[21:01.710 --> 21:07.770]  setup was analyzed multiple times in previous investigations. And as you know, the detection
[21:07.770 --> 21:14.150]  is very noisy, and also it's a high risk. So for that reason, we focus on internal networks.
[21:14.150 --> 21:22.630]  But some setups were exposed in a short time using Mexican IPs. And there are two important
[21:22.630 --> 21:30.010]  details that were to be mentioned. The first one is the timing of the attack. There is a correlation
[21:30.010 --> 21:38.710]  between the exposition of the IP on a network-passing SENSIC service versus non-indexed
[21:38.710 --> 21:48.930]  IPs. And finally, there is a gain if multiple protocols are being used instead of only one.
[21:49.890 --> 22:00.190]  And, well, finally, to mimic services, a simple setup was performed on these four sides.
[22:00.190 --> 22:08.870]  The first one is a network emulation. With this, we found that there are many pieces of software
[22:08.870 --> 22:17.110]  that allows you to emulate any port, to replicate any port, and copy
[22:17.810 --> 22:25.030]  this kind of behavior. The second one is about the file servers on the shop floor. For this,
[22:25.030 --> 22:33.030]  the use of honey files were the option. And for the web replication from the front-end
[22:34.770 --> 22:43.650]  web admin consoles, we used social engineer toolkit and also HTTP track. And, well, finally,
[22:43.650 --> 22:49.230]  the most important component is Compot. As you know, Compot is a very popular piece of software
[22:49.230 --> 23:01.530]  to deploy honeypots. And we used this with some physical components. And to make a quick setup
[23:02.130 --> 23:11.130]  for the power users, we used Teapot as a main platform. With this, the use of Teapot was the
[23:11.130 --> 23:23.120]  fastest way to make an implementation by the power users. And, well, that's it, guys. Thank
[23:23.120 --> 23:32.080]  you for your time. As a remark, we saw these points. The USMCA trade is an opportunity to
[23:32.780 --> 23:38.360]  improve the cybersecurity. The second one, well, Mexico is an undiscovered market for the ICS
[23:39.160 --> 23:48.080]  cybersecurity. As Octavio mentioned, there are good numbers that prove this. Also, there's an
[23:48.080 --> 24:01.080]  opportunity to train people in this topic. In all the industrial networks, we found that there are
[24:01.240 --> 24:11.420]  a lot of talented people that could learn in a very fast way. And there is a passion about this.
[24:12.240 --> 24:20.320]  The honeypot technology and the use of the ATTCQ metrics for ICS as part of the formal
[24:20.320 --> 24:27.640]  training and detection is a good trick too. And finally, the speed of the network is not
[24:27.940 --> 24:35.980]  a speed of the process talking about cybersecurity. And, well, thank you for your time.
[24:36.400 --> 24:44.520]  If you have questions, please drop us a line. We will be on the ICS Village Discord channel.
[24:44.520 --> 24:48.720]  Thank you for your time. Have a good day. Thank you.
